Well, the short answer is ... nope ... that didn't fix it. At least not for
me. I think I'm going to try and take their patch out and then just put in
your 3 line change, see if that fixes it.
Troy
Troy Dawson wrote:
> Hi Stephan,
> First off, my apologies for replying so late, it's not that I don't
> think this
> is important, I just haven't had any clear plan on which direction to go.
>
> Second off, my thanks to Patrick. I was having a hard time in tracking
> this
> down, mainly because everytime I started something came up with higher
> priority.
>
> So what to do?
> Well, I guess the first thing is to check and see if it indeed does fix the
> problem. I am compiling right now as I write this.
>
> What I really love is that above where they comment it out, it has the web
> page reference to why they did it.
> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001735.html
>
> Evidently, this is a "feature" and not a "bug" because it is
> "the behavior people seem to expect"
>
> So, it seems this is the second "feature" that RedHat has put into their
> kerberos that has just made me want to scream.
>
> So what to do?
>
> Well ... I'm thinking at least for starters, we have something in the
> contrib
> area that people can install that works. But then we have to see how many
> people actually want this feature.
>
> Troy
>
> Stephan Wiesand wrote:
>
>> Hi Troy,
>>
>> Patrick looked into this, and found that the following patch to krb5
>> makes the pam_krb5afs.so module and kinit work (give you an AFS token
>> in addition to K4/K5 tickets):
>>
>> --- src/include/kerberosIV/des.h 1999-09-24 23:16:08.000000000
>> +0200
>> +++ ../krb5-1.2.7.new/src/include/kerberosIV/des.h 2004-09-07
>> 14:39:51.000000000 +0200
>> @@ -54,7 +54,8 @@
>> #define NEAR
>> #endif
>>
>> -#ifndef __alpha
>> +//#ifndef __alpha
>> +#if 0
>> #define KRB4_32 long
>> #else
>> #define KRB4_32 int
>>
>> What actually fails is the clock skew test in pam_krb5afs.so.
>>
>> At first glance, it seems this was overlooked. But scrutiny of the
>> krb5.src.rpm reveals that it's much worse: There's a Patch37 with this
>> problem fixed and some similar ones as well, and it was backed out.
>> From krb5.spec:
>>
>> # Reverted, per
>> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001735.html
>> # %patch37 -p1 -b .32
>>
>> Hence this is broken deliberately. I guess (haven't tried yet) rebuilding
>> krb5 with patch37 enabled, and rebuilding anything that includes
>> <kerberosIV/des.h> afterwards, will make things work. But at least in
>> some respect, this would no longer be a "RHEL compatible" system.
>>
>> One could probably build pam_krb5afs.so against a different build of
>> krb5,
>> use the 32bit versions of afslog/aklog, and keep stuffing holes as they
>> show up, but I don't like that idea too much either.
>>
>> Any ideas?
>>
>> Cheers,
>> Stephan
>>
>>
>> On Tue, 17 Aug 2004, Troy Dawson wrote:
>>
>>
>>> *Troy sits with a puzzled look on his face*
>>> I really could have sworn that this had worked for me. Really, I
>>> tested it.
>>> But now it isn't. I can only think that maybe I already had some AFS
>>> tokens
>>> and I was just regrabbing them.
>>>
>>> I hearby pull out my "works for me".
>>>
>>> I so far have found at least one problem. After getting a kerberos
>>> ticket, if
>>> I do just a
>>> /usr/bin/aklog
>>> I get a
>>> Segmentation fault
>>> So clearly the /usr/bin/aklog isn't working as it should.
>>> I'm investigating.
>>> Troy
>>
>>
>>
>> --
>>
>> ----------------------------------------------------
>> | Stephan Wiesand | |
>> | | |
>> | DESY - DV - | phone +49 33762 7 7370 |
>> | Platanenallee 6 | fax +49 33762 7 7216 |
>> | 15738 Zeuthen | |
>> | Germany | |
>> ----------------------------------------------------
>
>
> --
> __________________________________________________
> Troy Dawson [log in to unmask] (630)840-6468
> Fermilab ComputingDivision/CSS CSI Group
> __________________________________________________
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/CSS CSI Group
__________________________________________________
|